KLUG Weekly Meeting Notes

Tuesday, February 21, 2006

 

A GNU PRIVACY GUARD (GPG) KEY SIGNING PARTY!

Hosted by Dirk Bartley

Dirk Bartley's November 15, 2005 GPG Presentation

ftp://kalamazoolinux.org/pub/pdf/gpg.pdf

GNU Privacy Guard
http://www.gnupg.org

GnuPG Keysigning Party HOWTO

http://www.cryptnet.net/fdp/crypto/gpg-party.html

With a fingerprint list handout and a flip chart for visual
support, Dirk Bartley explained what needs to be accomplished
once you have generated your GPG encryption keys. Answering
questions until there was silence, Dirk shared his knowledge
of Open Source GNU Privacy Guard.

A weak point of public key encryption is the spreading of

the public keys. A user could bring a public key with false
user ID in circulation. If with this particular key messages
are made, the intruder can decode and read the messages. If
the intruder passes it on then still with a genuine public key
coded to the actual recipient, this attack is not noticeable.

Always set an expiration date on your keys when you create them.
If you don’t you might become haunted by ghost keys.

If you have a wrong public key you can say goodbye to the value
of your encryption. To overcome such risks there is a possibility
of signing keys. In that case you place your signature over the

key, so that you are absolutely positive that this key is valid.
This leads to the situation where the signature acknowledges that
the user ID mentioned in the key is actually the owner of that
key. With that reassurance you can start encrypting.

The PGP solution (and because of that automatically the GnuPG
solution) exists in signing codes. A public key can be signed by
other people. This signature acknowledges that the key used by
the UID (User Identification) actually belongs to the person it
claims to be. It is then up to the user of GnuPG how far the trust
in the signature goes. You can consider a key as trustworthy
when you trust the sender of the key and you know for sure that
the key really belongs to that person. Only when you can trust
the key of the signer, you can trust the signature. To be absolutely
positive that the key is correct you have to compare the finger
print over reliable channels before giving absolute trust.

gpg --search keys 2
gpg --edit-key
gpg --send-key 4
gpg --refresh-key
gpg --sign-key 3
gpg --gen-key 1
gpg --list-sigs

Comments: Post a Comment

<< Home

Archives

March 2005   April 2005   May 2005   June 2005   July 2005   August 2005   September 2005   October 2005   November 2005   December 2005   January 2006   February 2006   March 2006   April 2006  

This page is powered by Blogger. Isn't yours?